3

I am currently developing several applications, mostly hosted on Azure : an Excel add-in (Office Apps) that calls an API hosted on Azure, a web application hosted on Azure, and probably other applications later.

To authenticate users, I use Azure Active Directory (Azure AD), based on Token authentication for the web API, and OpenID for the web application. Every call to the API or web app is thus authenticated thanks to the Azure AD, so Role-Based Access Control can be implemented in the application layer.

These API/apps are often calling an Azure SQL database and my question is the following : is it possible to use the authenticated user (from Azure AD) to also authenticate the database access ?

Currently, database credentials are hardcoded in the connection string (the login is created for the application), but this does not allow strict DB access control rules.

Additional information : integrated authentication (using Windows user) is not possible, because Windows login and Azure login are different in my organization : Azure and Windows Active Directories are different.

Thanks a lot for your help.

Improve this question

1 Answer 1

Reset to default
1

Yes, Azure SQL Server supports Azure Active Directory authentication. This article describes how to set it up: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication

Your database needs to be V12 for this feature. If it is not you can upgrade it to V12.

You can then connect to your database with a connectionstring like:

    string ConnectionString = @"Data Source=n9lxnyuzhv.database.windows.net; Authentication=Active Directory Integrated; Initial Catalog=testdb;";
    SqlConnection conn = new SqlConnection(ConnectionString);
    conn.Open();
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Hi Yoape, thanks for your answer. I already tried Active Directory Integrated, and it doesn't work. I guess this is because the users are not logged onto the Azure AD on the computer, but I'm not totally sure.
Since your users are not AAD authenticated on the computer, you may have to opt for Username/Password AAD. The details are on the same link @yoape posted.
Can we use something similar to github.com/Microsoft/sql-server-samples/tree/master/samples/… ? But for an ASP.NET Web API
Depending on how you have done the token authentication for your Web/Web API, it might be possible to use token authentication for the connection, check out 7.3 Connecting with an Azure AD token in the same article.
Concerning the web API : the token is acquired for the website calling the web api (which has a delegated right to call the API), which means the token resource is "mycompany.onmicrosoft.com/myWebsiteUsingTheAPI", not "database.windows.net". Is it possible to get access to the database with such a token, by delegating the permission ? I could not get it to work, and all tutoriel point to getting a token for "database.windows.net", which means a token dedicated to database access.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.